Hi folks,

a few months ago I had replaced the externally signed root 
certificate on my servers (CentOS 7.3) using ipa-cacert-manage. 
Problem: 

ipa-client-install on a freshly bootstrapped Debian 7 (Wheezy,
freeipa 3.0.2) fails. Apparently it stumbles over the old root 
certificate:

# ipa-client-install --domain=example.de --realm=EXAMPLE.DE --no-ssh --no-sshd 
--no-ntp
Discovery was successful!
Hostname: pobde7i001.vs.example.de
Realm: EXAMPLE.DE
DNS Domain: example.de
IPA Server: ipa1.example.de
BaseDN: dc=example,dc=de

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please 
check that 123 UDP port is opened.
Password for ad...@example.de: 
Enrolled in IPA realm EXAMPLE.DE
Created /etc/ipa/default.conf
Domain example.de is already configured in existing SSSD config, creating a new 
one.
The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.DE
trying https://ipa1.example.de/ipa/xml
cert validation failed for "CN=ipa1.example.de,O=example AG,C=DE" 
((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not 
trusted by the user.)
trying https://ipa2.example.de/ipa/xml
cert validation failed for "CN=ipa2.example.de,O=example AG,C=DE" 
((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not 
trusted by the user.)
Cannot connect to the server due to generic error: cannot connect to 
Gettext('any of the configured servers', domain='ipa', localedir=None): 
https://ipa1.example.de/ipa/xml, https://ipa2.example.de/ipa/xml
Installation failed. Rolling back changes.


/etc/ipa/ca.crt on the client shows it somehow picked up the old 
certificate. On the servers /etc/ipa/ca.crt is the new root cert. 
"getcert list" on the servers shows only certificates based upon 
the new root ca, too. I wonder where ipa-client-install picked up 
the unwanted certificate?

Of course I tried putting the new ca.crt into place before running
ipa-client-install, but it was overwritten.

Of course there is no such problem for ipa 4.4.4 on Stretch.


Every heplful hint is highly appreciated
Harri
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to